Return-Path: 
 <tomcat-user-return-45710-qmlist-jakarta-archive-tomcat-user=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org
Received: (qmail 38533 invoked from network); 17 Dec 2002 09:39:51 -0000
Received: from exchange.sun.com (HELO nagoya.betaversion.org) (192.18.33.10)
  by daedalus.apache.org with SMTP; 17 Dec 2002 09:39:51 -0000
Received: (qmail 29364 invoked by uid 97); 17 Dec 2002 09:40:51 -0000
Delivered-To: qmlist-jakarta-archive-tomcat-user@jakarta.apache.org
Received: (qmail 29309 invoked by uid 97); 17 Dec 2002 09:40:50 -0000
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:tomcat-user-subscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-user-help@jakarta.apache.org>
List-Post: <mailto:tomcat-user@jakarta.apache.org>
List-Id: "Tomcat Users List" <tomcat-user.jakarta.apache.org>
Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 29296 invoked by uid 98); 17 Dec 2002 09:40:50 -0000
X-Antivirus: nagoya (v4218 created Aug 14 2002)
Message-ID: 
 <C0FA66CBDDF5D411B82E00508BE3A72207620787@zctwc059.asiapac.nortel.com>
From: "Michael Yates" <yatesmi@nortelnetworks.com>
To: "tomcat user List (E-mail)" <tomcat-user@jakarta.apache.org>
Subject: CLIENT-CERT over secure and non-secure connectors
Date: Tue, 17 Dec 2002 20:38:38 +1100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C2A5B0.13B0CCFA"
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

------_=_NextPart_001_01C2A5B0.13B0CCFA
Content-Type: text/plain;
	charset="iso-8859-1"

Hi all,

I have an unusual set-up/configuration question.

I wish to have a single instance of a web-app accessible over both http and
https (with the https users authenticating with client certificates). The
reason for this configuration is that the un-secure port may be handling
traffic coming over (say) a VPN - which already has all of the security
required. Whereas the secure port may be more open and available to the
"general public".

However if I add
<auth-method>CLIENT-CERT</auth-method>
Along with the other necessary security setup stuff in my web-app web.xml
file it uses the SSLAuthenticator valve when processing both the HTTP as
well as the HTTPS requests. Meaning traffic coming over the standard HTTP
gets stopped with errors like "no certificate chain"

Can anyone see any way to have the one web-app require client-certification
when the user comes over HTTPS but allow them access when they come over
HTTP?

Regards,
Michael Yates
Software Engineer
Australia (Wollongong) R&D
yatesmi@nortelnetworks.com
ESN 639-7547 Direct +61 2 42547547

------_=_NextPart_001_01C2A5B0.13B0CCFA--